The real moat in agentic AI is authority, not models.
Identity, delegation, and revocation infrastructure for non-human actors is the layer where the durable winners get built — and where Microsoft Entra Agent ID has just become the leading-indicator product.
The agentic AI conversation has been organized around the wrong layer. The market is debating models and orchestration platforms; the durable winners will be built one layer below, in the infrastructure that decides which non-human actors are allowed to do what, when, and under whose authority. Call it the agentic authority layer: an identity, delegation, and revocation control plane for software agents. As of mid-2026, it is no longer purely theoretical — Microsoft Entra Agent ID is in preview, Agent 365 ships a unified agent registry, and the non-human-identity vendor category has crossed $200M ARR. The category is forming inside an 18-month window, and where it lands will determine who is in the call path of every enterprise agent action for the next decade.
This piece argues the case. It separates agent identity from human IAM and from the broader non-human-identity (NHI) market, names the four primitives that make agent identity its own category, addresses the strongest counter, and tells a Founder, COO, or CTO what to do this quarter. The conclusion is unsubtle: this is one of the few category-formation moments left in enterprise software for the next decade, and most operators are sleeping through it because the frame they are using to evaluate agentic platforms does not have a column for it.
The forgotten layer.
The conventional framing treats agentic AI as a stack with three interesting layers — foundation models, orchestration platforms (LangChain, CrewAI, vendor agent SDKs), and applications. Vendors compete on each. Buyers ask which to choose. The authority question — who is this agent, who delegated this action to it, when does that authorization expire, what happens when it tries to act outside its scope — is treated as a feature of the orchestration platform, or a problem solved by re-purposing existing identity infrastructure: OAuth, SSO, role-based access controls, service accounts. It is neither.
Identity and authority for non-human actors is a different category from human IAM, structurally and operationally. Treating it as a feature of orchestration is the same mistake the early cloud era made when it treated network security as a feature of compute. The market eventually built a separate stack for it, and a generation of category-defining companies were born there. The agentic equivalent is one cycle behind, and the window for category formation is open right now.
Four moves.
Authority for agents is not authority for humans, and the existing identity stack will not stretch to fit.
Human identity is bound to a slowly-changing principal whose intentions are inferred from behavior over time. Agent identity is bound to a fast-spawning, ephemeral principal whose intentions are declared at instantiation and whose actions can scale to thousands of API calls per minute. RBAC, OAuth scopes, and service accounts were built for the slow case. Applied to the fast case, they fail the same way every time: an over-scoped service account becomes the agent’s persistent identity, the access token outlives the use case, and the audit log records that “Agent_v3” did something at 4:17am with no recoverable provenance for who delegated it the right to act. The leading-indicator deployments — Itaú’s Devin rollout, NEC’s machine-buyer, the SOX-bounded financial close agents at top-quartile banks — work only because they insert a named human owner per agent session, apply the same code-review gates as for human-authored code, and treat every agent action as if it were a junior engineer’s pull request. That is a workaround, not infrastructure.
The required primitives are time-bounded, revocable, and machine-introspectable.
Authority granted to an agent must carry an automatic expiration; be revocable in real time without restarting the agent; be queryable by the agent itself before it attempts an action; and be auditable by a human with no access to the agent’s internals. None of these is hard in principle; the difficulty is that the existing identity stack assumes long-lived principals and trusts the network boundary to enforce scope. Agentic systems collapse the network boundary and demand short-lived principals. The result is a category of infrastructure that does not exist as a discrete product yet, and the longer it stays undifferentiated from “orchestration,” the longer the market stays mispriced.
The market is mispriced because the failure mode is silent until it isn’t.
An over-scoped human-style identity granted to an agent works perfectly until an agent makes a wrong decision — and then the failure is total because the audit chain points to no one. Enterprises buying agentic platforms today are buying liability they cannot yet see. The reason this is mispriced rather than catastrophic-and-loud is that current agentic deployments are mostly bounded factory workloads (the Itaú pattern: well-scoped migration tasks, not open-ended decisions). Once the deployment moves to higher-stakes, dynamic decision domains — procurement, customer service with payment authority, clinical triage, financial reconciliation — the failure mode flips from theoretical to material, and the demand for the missing layer becomes acute. The 18-to-30-month window before that flip is the window for category formation.
Whoever builds the agentic authority layer will have unusual lock-in characteristics.
Identity infrastructure has historically been the highest-retention layer in enterprise software (Okta, Microsoft Entra, the various PAM vendors) because once an enterprise routes its principals through your system, ripping you out requires re-onboarding everything. The agent equivalent is structurally the same — once every agent in the enterprise is registered, scoped, and revocable through your control plane, you are in the call path of every agent action the enterprise takes. That is the moat. It is not a model moat — those reset every 12 months. It is not an orchestration moat — those churn with every framework cycle. The authority layer sits below both, and ripping it out means re-onboarding every agent in the company. Microsoft has shipped first; the open competition will form among the NHI vendors who can credibly extend their primitives to handle ephemeral agent principals at scale. The shortlist is short.
The strongest argument against this position.
The strongest counter is that this is a feature, not a category — that the major identity vendors (Microsoft, Okta, AWS) will extend their existing stacks to cover agents, and the moment will pass before any new entrant captures it. This is the embrace-and-extend argument, and it is correct in most software categories.
It is partially right and partially wrong here. It is right that Microsoft will own the Microsoft-aligned operator base — Entra Agent ID is shipping, integrated across the estate, and the path of least resistance for any organization standardized on Entra ID for human IAM. The Microsoft enterprise base is enormous and will not be contested by independents on the Microsoft surface. But it is wrong to extrapolate from Microsoft to the whole market. The data model required for agent identity — delegation chains, intent-bounded scopes, ephemeral principals at scale, machine-introspectable policy — is not a graceful extension of the human IAM data model used by Okta or Auth0. The schema differences run deep. And the buyers for agent identity are different from human IAM buyers: engineering leaders deploying agents, with different procurement authority, different evaluation criteria, different urgency. Different schema, different buyer. That is the formula that historically produces a new category alongside the incumbent — not in place of it. Microsoft owns the Microsoft estate; the open category forms around the rest of the market and gets consolidated through acquisition over the following five years.
Three things to do this quarter.
For a Founder or COO or CTO of an enterprise piloting agentic AI:
01 · Treat agent identity as a separate architectural decision, not a feature of your platform choice. Do not let your platform decision (Copilot Studio, LangChain, vendor X’s agent SDK, your incumbent cloud’s agent service) absorb the authority question. The question is independent: who is allowed to do what in your business when humans aren’t in the loop? Decide that now, before scale forces it.
02 · If you are Microsoft-aligned, default to Entra Agent ID — but on your terms. The pragmatic answer for the Microsoft-estate operator is Entra Agent ID, integrated with Copilot Studio scoping and Agent 365’s registry. The discipline is to treat it as a data model, not a deployment shortcut: enforce the four primitives (ephemeral, intent-bounded, delegation-chained, machine-introspectable) explicitly in your agent design, even where the platform makes them optional. The platform default is “easy.” The operator move is “easy and disciplined.”
03 · If you are not Microsoft-aligned, watch the NHI vendor consolidation closely. Astrix, OASIS Security, Token Security, Strata, Permiso are operating in the broader NHI category but only some of them have credible roadmaps for agent-specific primitives. Pick the one that is shipping the four primitives natively, not the one with the loudest marketing. Expect at least one acquisition by an incumbent identity vendor (Okta, CyberArk, BeyondTrust) within 18 months. Plan for that acquisition rather than be surprised by it.
The decision you are about to make is about who is allowed to do what in your business when humans aren’t in the loop. That is not a technology procurement decision. That is the operating-model decision the next decade is going to grade you on.
SALT’s standing position-review rhythm grades published positions against subsequent reality. Where positions falsify, SALT publishes the correction explicitly.